pixel - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Security issues lead IT to block Outlook for iOS

IT could face a security nightmare with the new Outlook for iOS app due to some major issues and lack of MDM integration.

Security shortcomings for the new Outlook for iOS app have companies putting the brakes on the app before they've even fired up the engine.

The most glaring omission in the new Outlook applications for Apple iOS and Google Android is the lack of integration with mobile device management (MDM) platforms, which makes them a non-starter for many enterprises.

Yet issues with security, particularly with the Outlook for iOS app, appear to run even deeper. A blog post written by Rene Winkelmeyer, head of development with German consulting services and software development company Midpoints, outlined several major security concerns for the app.

The app connects to file-sharing services such as Dropbox, Google Drive and Microsoft OneDrive so any user can set up a personal account within the app and share mail attachments using those services, Winkelmeyer wrote in the blog post. The catch is that administrators can't control in-app communication.

Containerization may help with controlling that communication, but only if a software development kit is implemented around an app like Outlook for iOS, Winkelmeyer said in an email.

"An option could be to force all device communication over [a virtual private network] via MDM and block from there, i.e. Dropbox access," he said. "But that'll mean big changes in the VPN infrastructure for lots of companies as all device traffic would be affected."

Outlook for iOS also shares the same Exchange ActiveSync client ID across all of the user's devices, meaning IT can't distinguish whether someone is using their iPhone or iPad to access the app, Winkelmeyer wrote in the blog.

Lastly, and perhaps most problematically for IT, anyone who uses the app faces the reality that Microsoft could store that individual's email credentials in the cloud. After sending a test email, Winkelmeyer discovered "a frequent scanning from an [Amazon Web Services] IP" to his email account and found Microsoft was storing his personal credentials and server data in the cloud.

"That may be fine for companies which already use Microsoft's cloud," he said in an email. "But for companies that have their ActiveSync server for their own reasons not in the cloud, it's a big problem."

Opting out of Outlook for iOS

In response to Winkelmeyer's post, Microsoft said Outlook for iOS's privacy and security capabilities, along with controls available to IT administrators, meet the company's established thresholds and Microsoft continuously works to meet security standards.

Customers can consult the Controlling Device Access TechNet guidance to block the app and use the OWA for iPhone, iPad or Android apps if they have security concerns, a Microsoft spokesperson said.

A West Coast private equity firm that invests in software and other technology-related businesses has concerns over Outlook for iOS and isn't taking any chances.

"We have advised all of our portfolio companies to block this app from connecting to their Exchange/Office 365 instances for now," said the firm's IT program director, who requested anonymity. 

The firm recommends this because Microsoft can store sensitive data in the cloud and IT has no control over Microsoft doing that. Plus, the Outlook for iOS app is a version 1.0 product.

"We don't want to be guinea pigs," he said said. "We won't be looking to jump into the first version and at least wait until the first few service packs to come out."

Apps could be compliance non-starter

The Outlook for Android app is only in preview mode while the iOS app is generally available. The apps are rebranded versions of Acompli, which was acquired by Microsoft in December.

Some expect Microsoft to improve the code quality from Acompli to meet its own standards in the near future, said Wes Miller, vice president of research at Directions on Microsoft, an IT analysis firm in Kirkland, Wash.

"It could be Microsoft saying, 'We have to figure out these issues and we'll fix it over time,' and they could be downplaying them right now," Miller said.

In an IT environment conscious of preventing security breaches and access to encryption keys, the Outlook apps may be a non-starter for companies who must be in compliance with regulations limiting who has access to that kind of important information.

"It may impossible for a company to be in compliance if that information is being stored elsewhere," Miller said.

Microsoft plans to add MDM integration for the apps in the future, the company said in a blog post. MDM will help rectify these security issues to a certain point, Winkelmeyer said. MDM can let you blacklist an app or block some actions, but unless admins block access to the App Store, preventing downloads of the app on an iOS device is impossible.

Microsoft is planning to build a level of MDM directly within the Office 365 suite, which the company said would be ready this quarter. It may have been advantageous for Microsoft to have that feature released in time for the new mobile Outlook apps, Miller said.

Dig Deeper on EMM tools | Enterprise mobility management technology

Join the conversation

7 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Will you block your users from accessing Outlook for iOS, and why?
Cancel
We will not be blocking our users from Outlook use and access with iOS. Currently and based on our experiences using many different email clients, Outlook has proven to be the best available. The fact it is now available for use in iOS we not only won't block our users from using it we are going to actively begin outfitting all devices with Outlook as the primary email client. This is the best we've used.
Cancel
Carol482, I agree that Outlook is a great app, but are you concerned about the security implications?
Cancel
Because of the built-in and constantly upgraded security systems and patches with iOS we have very little concern where security is concerned with the Outlook for iOS app. Apple's security systems and protocols keep iOS devices very secured, even to the point of beating NSA level encryptions. Because Apple requires all apps sold in the App Store to meet the criteria to integrate with these security protocols, we are confident in Outlook for iOS.
Cancel
Yes. Outlook scares me and there are more secure and functional options available. AND I have a choice because I am my IT department. Many users - because of service agreements - are unable to make that choice. It astounds me at how rigid IT departments can be when it comes to working with BYOD and other software (outside of what's been approved), when they could do a little research and find out what's the least secure app or software in their enterprise. In most cases, the stuff they REQUIRE users to use is the least secure. Shaking my head.
Cancel
The iOS Outlook uses a cutting-edge technology that has enhanced the security of communication. Following the manual instructions can help starters to use it.
Cancel
Wow that sounds like a pretty serious flaw.  I have to wonder what the thinking behind that was.
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close